SolusVM Security Update!

[MannDude]

http://blog.soluslabs.com/2013/06/19/security-updates-available-for-all-solusvm-versions/

No real news of what is in it, but worth posting. Wondering if the exploits that 'did not exist' actually exist?

Discuss.

 

[maounique]

Ah, so the denial is over ?

Damn, we were starting to believe them that the new exploits are just rumours, I think this confirms them.

 

[drmike]

About DAMN time.

 

[perennate]

"Security Team"

 

[D. Strout]

Somehow I get the feeling that this update won't do that much to restore confidence in SVM. I know I still don't place much confidence in it.

 

[mojeda]

Just got this via email
 

Soluslabs Ltd Wednesday, June 19, 2013
03:25:58 AM GMT 0

PLEASE READ THIS INFORMATION CAREFULLY. THIS INFORMATION IS RELEVANT TO ALL VERSIONS OF SOLUSVM, INCLUDING BETA VERSIONS.
As you may be aware we are currently running a full in house and external code audit. This release contains several important security fixes for all versions of SolusVM.

We highly suggest you update your system as soon as possible. Updates are available through the normal channels.

Latest Beta Version: 1.14.00 R5
Latest Stable Version: 1.13.05

Please be aware the audit is still underway and more updates may follow.

Thank you for your co-operation and understanding.

Regards,
Soluslabs Security Team

Edit: sorry of this is what the blog post was, the solusvm website and blog do not load for me...

 

[netnub]

And you thought I was joking about the vulnerabilities I was holding with me. Guess you were wrong.

Let's go discover more zero-day's on solusvm, shall we?

 

[qps]

FYI -- when updating to the latest version, if your clients' VPS has an invalid hostname, it will be replaced with vps.server.com.  Per Phill @ SolusVM, this is expected.

 

[MannDude]

I've got Phill to agree to do a 'Reddit style AMA' (ask me anything // ask me almost anything) so the community can ask him questions regarding the exploit(s), security, the future of SolusVM, or any other concerns. He says he's been up for 2 days and I imagine he'll be busy, but I'll try to get this going while the subject is still relevant. This will be the first in a series of scheduled posts where the community can ask individuals from the industry questions directly regarding current events/news that are relevant at the time.

 

[Marc M.]

@MannDude Where can we start asking, cause I have at least two very short and to the point but very serious questions to ask, and I'm hoping that some minimal changes will be implemented after this. Thanks.

 

[Daniel]

SolusVM are going to post a report later today.

http://docs.solusvm.com/release_versions_beta#revision_4_16_june_2013

 

[peterw]

An update for a nonexisting security issue? Did they not write an announcement that SolusVM is secure?

In the meantime, we do not believe there to by any immediate threat to customers.

All histeria and all customers should start their SolusVM again? 12 hours later a security fix?

I don't trust SolusVM any longer.

 

[willie]

 

SolusVM are going to post a report later today.


 

http://docs.solusvm.com/release_versions_beta#revision_4_16_june_2013

 

Too late, they have already released another important fix:

http://docs.solusvm.com/release_versions_beta#revision_5_19_june_2013

 

[necs]

Please be aware the audit is still underway and more updates may follow... 

:angry:  :angry: 

 

[Hassan]

Leaving my SolusVM disabled until a report on the full audit is released seems like a smart idea at the moment.

 

[concerto49]

Leaving my SolusVM disabled until a report on the full audit is released seems like a smart idea at the moment.

Still waiting on it sadly. I hope they understand that it's urgent.

 

[willie]

I wouldn't take any "audit" seriously that comes out less than a month from now. The reviewers have to go thru the code base, quickly find and point out the most insane idiocy (of which there is surely plenty left to find), smack the developers into understanding what is wrong, then keep looking for subtler problems while the developers fix the simple stuff. There may be issues requiring large-scale refactoring rather than getting rid of an exec here or there. Then the patch versions have to be reviewed and adversarially tested (i.e. by penetration testers from a security shop, not just normal QA within the company), there will probably be another round of patches, etc. I don't think the product is beyond hope of repair, but the problems seen have been so severe, and known for so long, that the company has little credibility left. They are going to have to bite some large bullets to get it right.

 

[mr.tuppington]

I wouldn't take any "audit" seriously that comes out less than a month from now. The reviewers have to go thru the code base, quickly find and point out the most insane idiocy (of which there is surely plenty left to find), smack the developers into understanding what is wrong, then keep looking for subtler problems while the developers fix the simple stuff. There may be issues requiring large-scale refactoring rather than getting rid of an exec here or there. Then the patch versions have to be reviewed and adversarially tested (i.e. by penetration testers from a security shop, not just normal QA within the company), there will probably be another round of patches, etc. I don't think the product is beyond hope of repair, but the problems seen have been so severe, and known for so long, that the company has little credibility left. They are going to have to bite some large bullets to get it right.

Agreed:   audits can find many things and they likely will vary greatly in complexity.  Here's hoping they can move fast (and smart) on the difficult stuff.